1. Field of the Invention
The present invention relates generally to computer security, and more particularly but not exclusively to detection of email phishing attacks.
2. Description of the Background Art
Various financial transactions may be performed over the Internet. Examples of these financial transactions include online banking, sending or receiving of payments for product purchases (e.g., use of PayPal™ system), credit card purchases, and so on. Unfortunately, the convenience of performing online financial transactions over the Internet not only attracts legitimate users but fraudsters as well.
Fraudsters gain access to online financial accounts of their victims using a variety of techniques including by “phishing.” Phishing is a kind of social engineering that involves some form of misrepresentation. In an email phishing attack, the victim receives an email falsely claiming to be from the victim's financial institution. The email is made to look convincingly real, oftentimes complete with the look and feel of emails from the financial institution. The email includes a link to the fraudster's website, also referred to as “phishing site,” that serves a web page where the victim enters confidential financial account information (e.g., login ID, password, credit card information) thinking he is providing the information to his financial institution. The web page from the phishing site, like the email linking to it, is made to look authentic.
Currently employed techniques for protecting users from email phishing attacks include use of spam filters and web reputation service. A spam filter blocks emails that have characteristics of phishing. However, spam filters are not entirely effective because of the vast number of readily available tools that a fraudster may use to bypass statistical and rule based spam filters. A web reputation service maintains a database of network locations (e.g., uniform resource locators) of known phishing sites. The database serves as a blacklist that may be consulted to determine if a link included in an email is to a known phishing site. Unfortunately, phishing sites are easily relocated, making it difficult to keep track of their current locations. To compound the problem, it is difficult to maintain the database given the increasing number of phishing sites.